[[http://​www.netfilter.org/​|Netfilter]] is the packet filtering framework inside the [[wp>​Linux kernel]]. It allows for packet filtering, network address [and port] translation (NA[P]T) and other packet manipulations. It is far more than a simple firewall and very powerful! For Nftables, see [[doc/​howto/​nftables]].

+

Usually the user space programs <color red>​**''​iptables''​**</​color>,​ <color red>​**''​ip6tables''​**</​color>,​ <color red>​**''​ebtables''​**</​color>​ or <color red>​**''​arptables''​**</​color>​ are utilized to //​configure//​ the handling of network packets. Please see this scheme **[[http://​upload.wikimedia.org/​wikipedia/​commons/​d/​dd/​Netfilter-components.svg|Netfilter Components]]** by Jan Engelhardt about some overview over current and future netfilter components.

+

+

| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | **''​Note1'':​** In OpenWrt bridge firewalling is disabled by default. It can be enabled by editing ''/​etc/​sysctl.conf'':​ <code bash>​net.bridge.bridge-nf-call-arptables=0

+

net.bridge.bridge-nf-call-ip6tables=0

+

net.bridge.bridge-nf-call-iptables=1</​code>​ and then reloading the configuration with <code bash>​sysctl -p</​code>​ This is required by the netfilter module "​physdev"​ and also by ebtables ​ |

+

+

===== Installation =====

+

Netfilter is included in the kernel and does not have to be installed. The user space programs and the modules are packed into [[doc:​techref:​opkg]] packages. Install the ones you need. Always install ''​iptables-mod-*'',​ that way the corresponding ''​kmod-ipt-*''​ is being installed as well. See for available [[doc:​howto:​netfilter#​OPKG Netfilter Packages]]

+

+

===== Explanation =====

+

Please have a look at this most excellent scheme: **[[http://​upload.wikimedia.org/​wikipedia/​commons/​3/​37/​Netfilter-packet-flow.svg|Netfilter Packet Flow]]** by Jan Engelhardt to understand how a packet traverses netfilter. The green stuff is the domain of ''​iptables''​ and ''​ip6tables'',​ while the blue stuff is being handled by ''​ebtables''​.

+

+

Do not make the mistake to place your LAN on the left side and the Internet on the right side in your mind. They are both on both sides! When a packet enters the Linux Kernel (= that is the ingress buffer of the [[wp>​Network interface controller|NIC]] /​[[wp>​Wireless network interface controller|WNIC]]) it always comes in on the left side, regardless on which [[doc:​networking:​network.interfaces|interface]] it arrives. It traverses the network stack and then netfilter and when it leaves, it always leaves at the right side. While the packet traverses netfilter, netfilter looks for rules that match that network packet. When a rule matches a packet, that rule is being applied to that particular packet. This means the packet is being sent to the TARGET specified in that rule. As soon as the network packet matches a rule, this rule is applied to it, and the packet stops traversing that table of netfilter! There are few exceptions to this behavior, e.g. the TARGETs ''​-j LOG'',​ ''​-j CUSTOM_CHAIN''​ or ''​-j MARK''​.

+

+

===== Configuration =====

+

Netfilter is part of the Linux kernel. The IP packet filter rules in the Linux kernel are being configured by the user space command line tools of netfilter: ''​[[man>​iptables]]'',​ ''​[[man>​ip6tables]]'',​ ''​[[man>​ebtables]]'',​ ''​[[man>​arptables]]''​ and ''​[[man>​ipset]]''​. Utilize them as follows:

| {{:​meta:​icons:​tango:​dialog-information.png?​nolink}} | **''​Note:''​** All rules can contain a [[wp>​Fully qualified domain name|FQDN (Fully qualified domain name)]] instead of an IP addresses. But the FQDN will be resolved to IP addresses when the rule is executed and rules will be created using these IP addresses! Thus, if there is a DNS update, the IP addresses resolved at execution time may not longer match the FQDN.\\ However such a functionality could be realized with ''​ipset''​ and ''​[[doc:​uci:​ipset-dns]]''​. |

+

+

Per invocation you can set up only one //rule//; this will be checked for mistakes and if none are found, the hook will be written to RAM and is active immediately. An iptables/​ip6tables command is composed of two parts: parts one always commits the <color LightSeaGreen>​table</​color>,​ a <color magenta>​command</​color>,​ and the <color green>​chain</​color>​ this particular rule belongs to; part two specifies the <color blue>​match</​color>​ and the <color red>​TARGET</​color>​. There is always exactly one TARGET, but multiple matches are possible.

| {{:​meta:​icons:​tango:​48px-outdated.svg.png?​nolink}} | ''​ebtables''​ is no longer available in official versions due to performance implications ([[https://​forum.openwrt.org/​viewtopic.php?​pid=94379#​p94379]]). Please employ [[about/​toolchain|OpenWrt Buildroot]] if you need ''​ebtables''​ support. |

+

| {{:​meta:​icons:​tango:​48px-outdated.svg.png?​nolink}} | According to [[https://​forum.openwrt.org/​viewtopic.php?​pid=203789#​p203789|jow]] ''​physdev''​-module for iptables is available for 12.09 and any snapshot builds since then |

| ebtables ​ | 2.0.9-2-1 ​ | 51727 | The ebtables program is a filtering tool for a bridging firewall. The filtering is focussed on the Link Layer Ethernet frame fields. Apart from filtering, it also gives the ability to alter the Ethernet MAC addresses and implement a brouter. Manpage: ''​[[man>​ebtables]]''​ |

To quickly obtain a current overview type: ''​opkg list iptables-mod-*''​. Install the user space module, kernel modules are listed as dependencies and will be installed as well.

+

+

| {{:​meta:​icons:​tango:​48px-outdated.svg.png?​nolink}} | Since [[https://​dev.openwrt.org/​changeset/​30676/​trunk|r30676]] ''​iptables-mod-conntrack''​ and ''​iptables-mod-nat''​ are folded into the default package ''​iptables''​ to save on storage memory. |